Re: nftables DNAT not working

[palica <palica+netfiler@cupka.name>]

ok,

just for the reference this works with iptables:

# Generated by iptables-save v1.4.21 on Wed Oct 21 23:54:14 2015
*raw
:PREROUTING ACCEPT [3275:234388]
:OUTPUT ACCEPT [2229:414696]
COMMIT
# Completed on Wed Oct 21 23:54:14 2015
# Generated by iptables-save v1.4.21 on Wed Oct 21 23:54:14 2015
*nat
:PREROUTING ACCEPT [289:10144]
:INPUT ACCEPT [289:10144]
:OUTPUT ACCEPT [2:152]
:POSTROUTING ACCEPT [11:644]
:LXC - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j LXC
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j LXC
-A POSTROUTING -s 10.0.3.0/24 ! -o lxcbr0 -j MASQUERADE
-A POSTROUTING -s 10.0.3.40/32 -d 10.0.3.40/32 -p tcp -m tcp --dport 80
-j MASQUERADE
-A LXC ! -i lxcbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
10.0.3.40:80
COMMIT
# Completed on Wed Oct 21 23:54:14 2015
# Generated by iptables-save v1.4.21 on Wed Oct 21 23:54:14 2015
*mangle
:PREROUTING ACCEPT [3275:234388]
:INPUT ACCEPT [3151:212528]
:FORWARD ACCEPT [104:20660]
:OUTPUT ACCEPT [2229:414696]
:POSTROUTING ACCEPT [2333:435356]
COMMIT
# Completed on Wed Oct 21 23:54:14 2015
# Generated by iptables-save v1.4.21 on Wed Oct 21 23:54:14 2015
*filter
:INPUT ACCEPT [291:10240]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2229:414696]
:LXC - [0:0]
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j
ssh_whitelist
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o lxcbr0 -j LXC
-A FORWARD -o lxcbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lxcbr0 ! -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -o lxcbr0 -j ACCEPT
-A LXC -d 10.0.3.40/32 ! -i lxcbr0 -o lxcbr0 -p tcp -m tcp --dport 80 -j
ACCEPT
COMMIT
# Completed on Wed Oct 21 23:54:14 2015

I have created a lxcbr0 bridge with 10.0.3.1/24 and veth (slave of
lxcbr0) for the LXC has 10.0.3.40/24, the Internet-facing interface was
changed to eth0.

i will try to convert these iptables to nftables tomorrow.

palica


On 10/21/2015 12:33 PM, palica wrote:
> hello list,
>
> please help me debug this.
>
> I have 4.0.5 kernel and 0.5 nftables installed. this is my ruleset
>
> table ip filter {
>         chain input {
>                 type filter hook input priority 0; policy accept;
>                 ct state established,related counter packets 303 bytes
> 18088 accept
>                 ct state invalid counter packets 4 bytes 292 log prefix
> "Invalid traffic: " drop
>                 iif lo counter packets 0 bytes 0 accept
>                 ip protocol icmp accept
>                 tcp dport ssh ct state new counter packets 5 bytes 212
> log prefix "New SSH connection: " accept
>                 tcp dport { http, https} ct state new counter packets 7
> bytes 352 log prefix "New HTTP/S connection: " accept
>                 counter packets 30 bytes 1497 log prefix "Dropped
> traffic: " drop
>         }
>
>         chain forward {
>                 type filter hook forward priority 0; policy accept;
>                 ct state new counter packets 0 bytes 0 log prefix
> "FORWARD CHAIN: " accept
>         }
>
>         chain output {
>                 type filter hook output priority 0; policy accept;
>                 ct state new counter packets 33 bytes 2476 log prefix
> "OUTPUT CHAIN: "
>         }
> }
> table ip nat {
>         chain prerouting {
>                 type nat hook prerouting priority 0; policy accept;
>                 tcp dport { http, https} counter packets 0 bytes 0 log
> prefix "DNAT :" dnat 10.0.3.40
>                 log prefix "DNAT prerouting: "
>         }
>
>         chain postrouting {
>                 type nat hook postrouting priority 0; policy accept;
>                 ip saddr 10.0.3.0/24 oif br0 counter packets 0 bytes 0
> snat 37.187.110.20
>                 log prefix "SNAT postrouting: "
>         }
> }
> table ip6 filter {
>         chain input {
>                 type filter hook input priority 0; policy accept;
>                 iif lo counter packets 0 bytes 0 accept
>                 ct state established,related counter packets 8 bytes 768
> accept
>                 ct state invalid counter packets 0 bytes 0 log prefix
> "Invalid traffic: " drop
>                 icmpv6 type { nd-router-advert, nd-neighbor-advert,
> echo-request, nd-neighbor-solicit} counter packets 70 bytes 5024 accept
>                 tcp dport ssh ct state new counter packets 0 bytes 0 log
> prefix "New SSH connection: " accept
>                 tcp dport { https, http} ct state new counter packets 2
> bytes 160 log prefix "New HTTP/S connection: " accept
>                 udp dport domain ct state new counter packets 0 bytes 0
> log prefix "New DOMAIN connection: " accept
>                 counter packets 0 bytes 0 log prefix "Dropped
> connection: " drop
>         }
> }
>
> these are the only two packets that get logged upon trying to connect to
> port 80
> Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
> MAC=00:22:4d:ad:bc:d0:1c:e6:c7:52:07:40:86:dd
> SRC=2001:41d0:0008:d609:0000:0000:0000:0001
> DST=2001:41d0:000a:6314:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=59
> FLOWLBL=660071 PROTO=TCP SPT=60001 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
> Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
> MAC=00:22:4d:ad:bc:d0:10:bd:18:e5:ff:80:08:00 SRC=5.135.156.9
> DST=37.187.110.20 LEN=60 TOS=0x10 PREC=0x00 TTL=60 ID=15350 DF PROTO=TCP
> SPT=58750 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
>
> the network interfaces are br0 the destination for DNAT is a LXC using veth.
>
> What am I doing wrong/ overlooking?
>
> Thank you very much for your time.
>
> Palica
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html